CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-34749
https://notcve.org/view.php?id=CVE-2022-34749
In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking. En mistune versiones hasta 2.0.2, la compatibilidad con el marcado en línea es implementado mediante el uso de expresiones regulares que pueden implicar una gran cantidad de retroceso en determinados casos límite. Este comportamiento es comúnmente llamado backtracking catastrófico. • https://github.com/lepture/mistune/commit/a6d43215132fe4f3d93f8d7e90ba83b16a0838b2 https://github.com/lepture/mistune/releases https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQHXITQ2DSBYOILKHXBSBB7PFBPZHF63 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-16876
https://notcve.org/view.php?id=CVE-2017-16876
Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the "key" argument. Vulnerabilidad de Cross-Site Scripting (XSS) en la función _keyify en mistune.py en Mistune en versiones anteriores a la 0.8.1 permite que atacantes remotos inyecten scripts web o HTML aprovechando el error a la hora de escapar el argumento "key". • https://bugzilla.redhat.com/show_bug.cgi?id=1524596 https://github.com/lepture/mistune/blob/master/CHANGES.rst https://github.com/lepture/mistune/commit/5f06d724bc05580e7f203db2d4a4905fc1127f98 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NUR3GMHQBMA3UC4PFMCK6GCLOQC4LQQC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-15612
https://notcve.org/view.php?id=CVE-2017-15612
mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions. Mistune.py en Mistune 0.7.4 permite Cross-Site Scripting (XSS) mediante una nueva línea inesperada (como en java\nscript:) o una dirección de email manipulada. Esto está relacionado con las funciones escape y autolink. • https://github.com/lepture/mistune/pull/140 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •